← Back

CVE-2009-3931

nvd nist
Published: Nov 12, 2009Modified: Apr 23, 2026

JSON object

Loading...
9.3
Vector
AV:N/AC:M/Au:N/C:C/I:C/A:C
Exploitability: 8.6 / Impact: 10.0
Source: NVD

Description

Incomplete blacklist vulnerability in browser/download/download_exe.cc in Google Chrome before 3.0.195.32 allows remote attackers to force the download of certain dangerous files via a "Content-Disposition: attachment" designation, as demonstrated by (1) .mht and (2) .mhtml files, which are automatically executed by Internet Explorer 6; (3) .svg files, which are automatically executed by Safari; (4) .xml files; (5) .htt files; (6) .xsl files; (7) .xslt files; and (8) image files that are forbidden by the victim's site policy.

Affected (43)

Products: Google: Chrome
Google
1 product
Chrome
Configuration A
43 vulnerable
Vulnerable SoftwareAffected Versions
Google
Chrome
Up to 3.0.195.21
Chrome
Version 0.2.149.27
Chrome
Version 0.2.149.29
Chrome
Version 0.2.149.30
Chrome
Version 0.2.152.1
Chrome
Version 0.2.153.1
Chrome
Version 0.3.154.0
Chrome
Version 0.3.154.3
Chrome
Version 0.4.154.18
Chrome
Version 0.4.154.22
Chrome
Version 0.4.154.31
Chrome
Version 0.4.154.33
Chrome
Version 1.0.154.36
Chrome
Version 1.0.154.39
Chrome
Version 1.0.154.42
Chrome
Version 1.0.154.43
Chrome
Version 1.0.154.46
Chrome
Version 1.0.154.48
Chrome
Version 1.0.154.52
Chrome
Version 1.0.154.53
Chrome
Version 1.0.154.59
Chrome
Version 1.0.154.65
Chrome
Version 2.0.156.1
Chrome
Version 2.0.157.0
Chrome
Version 2.0.157.2
Chrome
Version 2.0.158.0
Chrome
Version 2.0.159.0
Chrome
Version 2.0.169.0
Chrome
Version 2.0.169.1
Chrome
Version 2.0.170.0
Chrome
Version 2.0.172.27
Chrome
Version 2.0.172.28
Chrome
Version 2.0.172.2
Chrome
Version 2.0.172.30
Chrome
Version 2.0.172.31
Chrome
Version 2.0.172.33
Chrome
Version 2.0.172.37
Chrome
Version 2.0.172.38
Chrome
Version 2.0.172.8
Chrome
Version 2.0.172
Chrome
Version 3.0.182.2
Chrome
Version 3.0.190.2
Chrome
Version 3.0.193.2 beta

Related CWEs

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (26)

Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.